Introduction #
Lucidum includes a feature called SmartLabels. SmartLabels allow you to apply business rules to Lucidum data. For details on SmartLabels, see the chapter Creating and Managing SmartLabels.
Lucidum includes pre-built SmartLabels, called Value-Oriented SmartLabels or VOSLs. You can find these VOSLs under the Lucidum SmartLabels tab in the SmartLabel Management page.
VOSLs include common use cases to help you get immediate insights from Lucidum data.
SmartLabels, including VOSLs, appear in the Query Builder as a standard data field. You can use SmartLabels as you would a standard data field.
Value-Oriented SmartLabels are included with Lucidum and encompass the most common uses of SmartLabels.
Like Value-Oriented Dashboards, Value-Oriented SmartLabels are read-only. You can use them but cannot edit them.
List of VOSLs #
Lucidum includes the following Value-Oriented SmartLabels:
| VOSL | Description | Data Type for Output |
|---|---|---|
| All Vulns | Concatenates all vulnerabilities (criticals, highs, mediums and lows) into a single, concise field for efficient display.The resulting string looks like:Critical <number of critical vulnerabilities> / High <number of high vulnerabilities> / Medium <number of medium vulnerabilities> / Low <Critical <number of low vulnerabilities> For example, for a single asset, this VOSL could return: Critical 1 / High 5 / Medium 3 / Low 1 | String |
| Assets with Users | Returns “True” if an asset record includes an associated user record. | Boolean |
| Cloud Provider | Specifies the public cloud provider for an asset. Possible values are:AWSAzure Oracle Cloud GCP | String |
| Compute Patching Status | Evaluates to “True” if an asset is a compute asset and needs patches and “False” if an asset does not need patches. | Boolean |
| Crits or Zero | Returns the number of critical vulnerabilities associated with an asset.Returns 0 (zero) if there are no critical vulnerabilities associated with an asset. | Integer |
| Crown Jewels | Crown Jewels are those assets that are business-critical and which, if compromised, would pose a grave risk to the business or mission Crown Jewels is a SmartLabel that you can clone and customize to meet your specific criteria for Crown Jewels. The default criteria is:
OR
OR
OR
OR
Returns TRUE if an asset meets one of these criteria. | Boolean |
| Data Sources Count: Asset | Counts the number of “Data Sources” fields for each asset.For example, an asset might have three data sources: AWS, Active Directory, and Datadog. The Data Sources Count: Asset field would return the value “3” | Integer |
| Data Sources Count: User | Counts the number of “Data Sources” fields for each user.For example, a user might have three data sources: AWS SSO Identity Store, Datadog User, and Oracle Cloud Users. The Data Sources Count: User field would return the value “3” | Integer |
| Dept Risk Multiplier | Multiplies the risk scores for assets in the Finance (2x), Legal (3x), and IT (5x) departments, because these assets tend to store sensitive data.For example, an asset in the Legal department might have a Risk Score of 6.The Dept Risk Multiplier field displays 18 (3 x 6) | Integer |
| Email Domain | Splits email addresses into user name and domain.For the user [email protected], the value in the Email Domain field would be the list:”road.runner”, “acme.com” | List |
| EOL Linux | Returns “True” if an asset is online and is running an end-of-life version of Linux. | Boolean |
| EOL macOS | Returns “True” if an asset is online and is running an end-of-life version of MacOS. | Boolean |
| EOL Windows Server | Returns “True” if an asset is online and is running an end-of-life version of Windows Server. | Boolean |
| EOL Windows Workstation | Returns “True” if an asset is online and is running an end-of-life version of Windows Workstation. | Boolean |
| Highs or Zero | Returns the number of high severity vulnerabilities associated with an asset.Returns 0 (zero) if there are no high severity vulnerabilities associated with the asset. | Integer |
| Kaspersky Top-N Exploited Vulns: 2023 | Returns the value “True” If an asset includes one or more of the vulnerabilities included in the Kaspersky Top Exploited Vulnerabilities for 2023, | Boolean |
| Lows or Zero | Returns the number of low severity vulnerabilities associated with an asset.Returns 0 (zero) if there are no low severity vulnerabilities associated with an asset. | Integer |
| Lucidum Best Hostname | Allows users to choose a value to use as a hostname in Lucidum. Default choices are cloud Instance Name, Full Domain Name, Host ID, VMware Asset Description, Latest Asset Name, Source Asset Name, and Ludicum Asset Name.Because Lucidum ingests data from many data sources, there are multiple fields that are populated with possible hostnames. For example, users might choose to use the field Lucidum Source Asset Name as a hostname in a dashboard. Or users might choose to use the field Full Domain Name, Asset Description, or cloud Instance ID.Returns a string with the selected hostname. | String |
| MAC Address Count | For assets with a MAC address, finds assets that have more than one MAC address. This determines which assets have more than one NIC.For assets with more than one MAC address, the MAC Address Count field displays the number of MAC addresses. | Integer |
| Meds or Zero | Returns the number of high medium vulnerabilities associated with an asset.Returns 0 (zero) if there are no medium severity vulnerabilities associated with an asset. | Integer |
| Okta MFA Status | If a user account uses Okta MFA, returns the value “True”If a user account does not use Okta MFA, returns the value “False” | Boolean |
| Online Compute | Finds all Windows, Linux, MacOS, Unix, and ESXi assets that have IP addresses and are online.If you used the query Online Compute = TRUE, the resulting list of assets would be all all Windows, Linux, MacOS, Unix, and ESXi assets that have IP addresses and are online. | Boolean |
| OS Raw vs. Normalized | Concatenates a string that shows the original, raw OS name and version and the Lucidum normalized OS and version.The OS Raw vs. Normalized field includes the raw OS name > the normalized OS name. For example:Ubuntu 20.04 👉🏻 Ubuntu Linux 20.04 or ubuntu 20.04 👉🏻 Ubuntu Linux 20.04 or 20.04 Ubuntu 👉🏻 Ubuntu Linux 20.04 or 20.04 ubuntu 👉🏻 Ubuntu Linux 20.04 | String |
| Risk Factor Count | Returns the number of Risk Factors associated with an asset. | Integer |
| Title & Dept (Asset) | Concatenate user’s title (from an asset record) and department (from an asset record) into a single field for efficient display.For example, for a Linux System Administrator in the IT Department, the Title & Dept (Asset) field would display:Linux System Administrator / IT | String |
| Title & Dept (User) | Concatenate user’s title (from a user record) and department (from a user record) into a single field for efficient display.For example, for an Engineer in the Product Department, the Title & Dept (Asset) field would display:Engineer / Product | String |
| VPC CIDR Block | Extracts the VPC CIDR block for an asset.For example, for an asset, the VPC CIDR field could display:172.16.0.0/16 or 10.0.0.0/24 | String |
| VPC Subnet CIDR Block | Extracts the VPC subnet CIDR block value for an asset.For example, for an asset, the VPC Subnet CIDR Block field could display:172.16.96.0/19 or 10.0.0.126.26 | String |
| Wildcard In Use | Checks all compute assets that are assigned to public cloud security groups (supports AWS, Azure, and GCP syntax). If any of the security group rules allow unrestricted inbound IP access, this SmartLabel will be set to True.Returns TRUE if an assets is a member of a cloud security group that allows unrestricted inbound IP acess. | Boolean |
| Windows Server | Returns the value “TRUE” if an asset has an OS of Microsoft Windows and the OS version matches Server or server. Returns the value “FASLE” if an asset does not have an OS of Microsoft Windows and the OS version does not match Server or server. | Boolean |
| Windows Workstation | Returns the value “TRUE” if an asset has an OS of Microsoft Windows and the OS version does not match Server or server. Returns the value “FALSE” if an assets does not have an OS of Microsoft Windows and the OS version does match Server or server. | Boolean |
Cloning Value-Orient SmartLabels #
You can use Value-Oriented SmartLabels as a template, to be customized for your environment. To clone a Value-Oriented SmartLabel, see the section on cloning SmartLabels.
